#
 

Protecting Privacy, and Protecting LPR

January 6, 2021

Kevin Uhlenhaker

Happy New Year, everyone! After a crazy 2020, I am sure we are all looking forward to the new year with a mix of excitement and well-founded caution. Our question this month raises cautious concerns about some parking technologies. 


Kevin, 


During 2020 there seemed to be an expanded focus on protecting individual privacy from lawmakers at all government levels. What should we do as a parking organization to help ensure we can continue using technologies such as LPR? 


Interested in Indiana 


Hello, Interested in Indiana, 


Thank you for your question. The use of new technologies, such as license plate recognition (LPR or ALPR), has expanded dramatically over the past few years. This expansion has been driven by the cost reduction of these systems and the general acceptance of this technology in parking organizations. LPR, when used correctly, can have a considerable positive impact on a parking organization. 


Of course, I am assuming most people reading this will know what LPR is, but for those who might not, license plate recognition systems utilize cameras to capture images of license plates. These images are then processed, and the license plate “number” (typically letters and numbers) are returned, along with pictures of the plate and vehicle. More advanced systems can return the plate’s state, along with the make, model, and color of the car. However, these last items’ accuracy is not always as high as the license plate number, which in some systems can be as high as 98-99 percent of vehicles detected. 


When looking at accuracy rates from vendors, these rates are typically stated in the number of plates correctly read vs. the number of vehicles detected. Not the number of vehicles actually present. 


The LPR data can be collected in several ways. In the past, the only way to collect LPR data was with cameras owned directly by the parking organization. These cameras were either fixed, in which the image is captured when the vehicle drives past the camera, or mobile when the camera moves past a parked vehicle. In either situation, the photos are typically stored in the parking organization’s system for a set period. 


Another option is an indirect collection model in which a third party collects the LPR data, and that data is shared with the parking organization for parking purposes. This third-party data can come both from public and private organizations and, in some cases, is also used for the repossession of vehicles and federal law and immigration enforcement activities. 


As the use of these systems has expanded, state and local legislators, as well as privacy groups, have taken a more in-depth look at the use of these systems and the data generated by them. At this point, more than 16 states have enacted laws that control and limit the use of LPR systems and data generated from those systems. 


Additionally, in 2020, 30 states considered or enacted laws focused on expanding the data privacy of citizens’ rights, with 50 states already having some form of data protection legislation on the books. 


As these laws expand, parking organizations can be put at risk if care is not taken to implement and manage their LPR programs. This focus should include policies and procedures on data privacy, ownership, sharing, and use auditing. 


The first step is to have a clear and public LPR privacy policy that controls how and what data is collected, who owns the data, who has access to it, how it is shared, and, most importantly, how long it is kept. Next, training on these policies should be provided to new staff as they join the organization, and annually to the entire organization. In states with more stringent privacy rules, a signed document of understanding and compliance can be useful, as well. In addition to staff policy, contracts with technology providers should clearly require the privacy policies to be followed by the provider with meaningful financial penalties if these regulations are not followed. 


Yearly audits should be performed on how well policies are being followed by the parking staff and the technology provider. Finally, policies should be reviewed and updated yearly, with changes being made based on the annual audit results and any changes to state and local laws. 


The need for auditing was made very clear by a 2020 report from the California State Auditor’s office. On request from the State Legislature, it reviewed four law enforcement agencies on their uses of LPR data and adherence to the state’s LPR laws. While it was only four agencies, the results were not favorable for these organizations. 


They found none of the agencies had privacy policies in place. All four departments were not controlling access to the LPR data correctly, and three of these groups had shared data with hundreds of entities across the United States. The information was retained for longer than needed in most situations. Of the agencies reviewed, 75 percent did not have agreements with their vendors to protect the data, and none of them were performing regular audits of the staff or vendors. 


This situation occurred in a state with LPR laws on the books since 2016. These laws were some of the first put in place in the United States. While we have not seen California’s legislative changes yet, due to this report, the initial lawmaker response was not positive. It led to further scrutiny of the widespread use of LPR systems in California. 


Beyond state audits, privacy groups, such as the ACLU, have continued to take a much closer look at the use of LPR data. They are pushing for restrictions on its use on both a local and state level. 


In some situations, the use of LPR has been grouped with other privacy “invasive” technologies such as facial recognition, Bluetooth tracking, the sale of location data from cell phones, and cross-app tracking. A growing number of people are pushing against using these types of technology, with a few cities even passing laws banning the use of facial recognition late last year.


With all this in mind, in my opinion, the best option to ensure the continued use of LPR in parking organizations is to be proactive. As they say, the best defense is a good offense. Review the recommendations discussed above with your team and come up with a plan of action. 


Assign someone with the responsibility of overseeing the LPR program. Finally, transparently and honestly communicate with the public about your LPR. The use of LPR should be a tool that improves the parking department’s operation and makes parking easier for drivers. If you feel the need to hide the details of your LPR program or the company you are working with for LPR, this should be a red flag. LPR can be a transformative technology, and with the right steps, it can preserve privacy while providing enhanced operational capabilities. 


Good luck with your program. 


Kevin 


If you have a question that you would like me to answer in a future column, comments on this column, or links to the resources used in this article, please reach out at aka@slsinsights.com. 



#